Skip to content

Latest commit

 

History

History
47 lines (28 loc) · 1.59 KB

File metadata and controls

47 lines (28 loc) · 1.59 KB

Cheesy Aegean Squirrel

Medium

Maximum Total Fees Mismatch Between README and Implementation

Summary

Incorrect MAX_TOTAL_FEES constant value will cause excessive fee charges (up to 100% instead of 10%) for users as admins can set fees much higher than documented.

Root Cause

In EthosVouch.sol https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/57c02df7c56f0b18c681a89ebccc28c86c72d8d8/ethos/packages/contracts/contracts/EthosVouch.sol#L120 the constant MAX_TOTAL_FEES is set to 10000 basis points (100%) while documentation explicitly states maximum total fees should not exceed 10%. uint256 public constant MAX_TOTAL_FEES = 10000; // Allows 100% fees

This constant is used in checkFeeExceedsMaximum to assert that the total fee should be greater than this constant. Which in this case will allow fee to be more than 10%, it can reach to 99.99%

Internal pre-conditions

Admin needs to call any of this function setEntryProtocolFeeBasisPoints setEntryDonationFeeBasisPoints setEntryVouchersPoolFeeBasisPoints setExitFeeBasisPoints to set fees above 10%

External pre-conditions

No response

Attack Path

No response

Impact

Users could suffer up to a 90% higher loss of funds than documented through excessive fee settings. This dramatically changes the economics and trust assumptions of the protocol.

PoC

No response

Mitigation

uint256 public constant MAX_TOTAL_FEES = 1000; // 10% maximum